{#
 This Source Code Form is subject to the terms of the Mozilla Public
 License, v. 2.0. If a copy of the MPL was not distributed with this
 file, You can obtain one at https://mozilla.org/MPL/2.0/.
#}

{% extends "mozorg/moss/base.html" %}

{% block page_title %}Secure Open Source — {{ super() }}{% endblock %}

{% block body_id %}moss-secure-open-source{% endblock %}

{% block page_heading %}
  Secure Open Source
{% endblock %}

{% block page_content %}
<div class="t-medium">
  <section class="mzp-l-content">
    <h2 class="moss-section-heading">About</h2>

    <p>
      The Secure Open Source ("SOS") track of MOSS supports security audits for
      open source software projects, and remedial work to rectify the problems
      found.

    {% with url1='https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed' %}
      You can read about the
      <a href="{{ url1 }}">audits we’ve completed so far</a>.
    {% endwith %}
    </p>

    <div class="moss-cta">
      <p>Ready to suggest a recipient?</p>

      <a href="https://docs.google.com/forms/d/1f0xSg9XM8v7YGdZ_FzeE67ggckbAsg6sH1mpQ4buTQE/viewform" class="mzp-c-button" rel="external">Nominate Now</a>
    </div>
  </section>

  <section class="mzp-l-content moss-section">
    <h2 class="moss-section-heading">
      What your project should include
    </h2>

    <p>
      The SOS Fund has a very limited set of solid rules:
    </p>

    <ul class="mzp-u-list-styled">
      <li>
        The software must be open source/free software, with a license that is
        OSI-certified and/or FSF-approved
      </li>
      <li>
        The software must be actively maintained
      </li>
    </ul>
  </section>

  <section class="mzp-l-content moss-section">
    <h2 class="moss-section-heading">How we’ll make our decision</h2>

    <p>
      We have a series of factors we consider when evaluating an application.

      For example:
    </p>

    <ul class="mzp-u-list-styled">
      <li>
        How commonly used is the software?
      </li>
      <li>
        Is the software network-facing or does it regularly process untrusted
        data?
      </li>
      <li>
        How vital is the software to the continued functioning of the Internet
        or the Web?
      </li>
      <li>
        Is the project known for something besides the code we are relying on?
      </li>
      <li>
        Does the software depend on closed-source code, e.g. in a web service?
      </li>
      <li>
        Are the software’s maintainers aware of and supportive of the
        application for support from the SOS fund?
      </li>
      <li>
        Has the software been audited before?

        If so, when and how extensively?

        Was the audit made public?

        If so, where?
      </li>
      <li>
        Does the software have existing corporate backing or involvement?
      </li>
    </ul>

    <p>
      The answers to such questions are often not “yes” or “no”, but matters of
      degree, and so Mozilla will take the entire picture into account when
      assessing projects.
    </p>
  </section>

  <section class="mzp-l-content moss-section">
    <h2 class="moss-section-heading">How to apply</h2>

    <p>
      At this time, candidates for an award are chosen by Mozilla.

      If you have a suggestion for a project which you think meets the criteria
      above, and where an audit might particularly benefit the project and the
      Internet community, please fill out the form through the link below.
    </p>

    <div class="moss-cta">
      <p>
        Suggest a recipient.
      </p>

      <a href="https://docs.google.com/forms/d/1f0xSg9XM8v7YGdZ_FzeE67ggckbAsg6sH1mpQ4buTQE/viewform" rel="external" class="mzp-c-button">Nominate Now</a>
    </div>
  </section>

  <section class="mzp-l-content moss-section">
    <h2 class="moss-section-heading">FAQ</h2>

    <dl class="mzp-u-list-styled">
      <dt>
        We’ve been asked how this project compares to the Core Infrastructure
        Initiative of the Linux Foundation.

        Here’s a short answer:
      </dt>

      <dd>
        We believe our model of support is different from and complementary to
        CII’s.

        We view CII as focused on necessary, deeper-dive investments into the core
        OS security infrastructure, like in OpenSSL.

        This is important work.

        Focusing on more point-in-time solutions, the SOS Fund’s audit and
        remediation methodology targets a different class of OSS projects with
        lower-hanging fruit security needs, using an open public-facing
        application form.

        To have substantial and lasting benefit in tackling such a significant
        issue as open source security, we need a broad range of solutions,
        including investment, audits, education, best practices, and a host of
        others.

        We believe the SOS Fund, alongside CII and other efforts, can help
        catalyze industry momentum to strengthen open source security.
      </dd>
    </dl>

    <p>
      If you have further questions, please feel free to contact us at
      <a href="mailto:sosfund@mozilla.com">sosfund@mozilla.com</a>.
    </p>
  </section>
</div>

{% include('mozorg/moss/includes/alittlebitmore.html') %}

{% endblock %}
